[Cryptography] The Trouble with Certificate Transparency
Theodore Ts'o
tytso at mit.edu
Fri Sep 26 08:19:45 EDT 2014
On Thu, Sep 25, 2014 at 10:41:49PM +0200, Ralph Holz wrote:
> > And that is the problem. In the above scenario it does not help to be
> > able to detect the misuse after successfully being MITMed. Protection
> > against a MITM by use of certs must work when the act of misuse
> > happens or the damage is done already.
>
> CT was designed to make attacks like DigiNotar near impossible - by
> detecting and containing the attack fast, but post-fact. That was before
> the NSA became the attacker everyone is concerned about. CT is about
> transparency.
Indeed; the dispute is really about which problem you are trying to
solve. It's much like the argument about opportunistic encryption (or
security, or whatever term people seem to like these days).
Both won't protect you against a targetted, determined MITM attack.
But both significantly discourage the use of bulk pervasive
monitoring. If that is your threat model, then CT is certainly
useful. In fact, CT is more likely to be more costly, at least from a
public relations / public exposure perspective than the use of a
targetted attack against opportunistic encryption, as CT is more
likely to result in the disclosure of an MITM attack after the fact
compared to merely using an unauthenticated diffie-helman exchange.
Cheers,
- Ted
More information about the cryptography
mailing list